McAfee Smells a Rat

Security vendor McAfee has released information pertaining to a years-long series of network intrusions and data theft incidents that the company has collectively dubbed "Operation Shady RAT."

The data stolen falls into a broad range of categories: closely guarded national secrets, negotiation plans and exploration details for new oil and gas field auctions, legal contracts, design schematics, data from a U.S. real estate firm, information from the Olympics committees of three countries, and info from the United Nations.

McAfee obtained the information from the files of a botnet's command and control server that it accessed back in 2006, Dmitri Alperovitch, VP of threat research for McAfee Labs, told the media in a press teleconference Wednesday.

Here, There, Everywhere

"We know of hundreds of thousands of servers that were also used by these hackers to victimize people but we don't have visibility into them," Alperovitch said. "We only got information from the one server."

However, extrapolating the information gleaned from that one server to hundreds of thousands of servers reveals the scope of the problem is far worse, Alperovitch stated.

"There are many conclusions in the McAfee report, some every security professional should have reached a long time ago, and some that seem naive and unwarranted," Randy Abrams, an independent security consultant, told TechNewsWorld.

How is it that other large security firms, many of which issue quarterly and annual threat reports and claim to have worldwide intelligence-collecting networks, didn't come up with the same theory as McAfee about a vast, ongoing conspiracy to steal data?

"We believe that McAfee has an incredible reach through their McAfee Labs community," Joe Gottlieb, president and CEO of SenSage, told TechNewsWorld.

Further, McAfee network security data and end-point protections are centrally managed and integrated with third-party systems, and this "makes both the real-time and long-range analysis of suspicious events possible," Gottlieb added.

McAfee's Exposition of Shady RAT

Over the past five to six years, an amount of data that possibly totals petabytes has been stolen, although it's not clear what's being done with the data, McAfee said.

Most of the victims impacted by the attacks over this time have remediated the infections.

McAfee gained access to one Command and Control server used by the intruders and obtained logs from that server that indicate who has been attacked since mid-2006, when the server began to collect activity logs.

McAfee identified 72 compromised parties in 32 organization categories. The victims were scattered throughout 14 geographic locations in the West and Asia. More victims were indicated in the logs, but McAfee doesn't have enough information to identify them accurately.

Most of the victims identified are in the United States. They include defense contractors, U.S. county governments and federal government agencies, and other U.S. companies and organizations.

Other victims include companies in South Korea, Denmark, the UK, three national Olympic committees, the International Olympic Committee, the World Anti-Doping Agency and the United Nations.

McAfee didn't go into specifics about the victims because it's bound by confidentiality agreements, Alperovitch said.

Questions About Shady RAT

Although Alperovitch repeatedly refused to confirm whether or not China was behind the ongoing attacks mentioned in Shady RAT, McAfee had mentioned the Night Dragon and Operation Aurora attacks in its blog.

Both those attacks were also disclosed by McAfee, and both are suspected to have come from servers in China.

However, it's not fair to assume China was the source of the attacks without clear evidence, SenSage's Gottlieb warned.

Some security experts question McAfee's conclusions about the attacks in Operation Shady RAT.

For example, McAfee said the theft of information from various national Olympic committees, the International Olympic Committee and the World Anti-Doping Agency around the time of the 2008 Olympics potentially points to a state actor because there's no commercial benefit from these hacks.

"It doesn't take a lot of imagination to figure out how economic gain could be derived," Abrams pointed out.

"Yes, the attacker there was likely a state actor, but a private hacker could probably sell information to state actors, and the potential for information used for blackmail is not that farfetched," Abrams said.

Further, without additional documentation, it's not safe to assume that the ongoing attacks were backed by any particular organization, Abrams remarked.

"In some cases, the exact nature of the data stolen may be a strong indicator, but you have to know what the data is and that the specific data was the object of the attack," Abrams explained.

Is the Threat Real?

Although McAfee discovered the command and control server back in 2006, it only discovered the server's logs in March and "thought it was a great opportunity to publicize this information," Alperovitch said.

Why is McAfee unveiling news about Operation Shady RAT when it can't provide any detailed information? And why tell the public, which can't really do anything?

It transpired during the press teleconference that McAfee approached victims it had identified from the logs and asked them if they wanted its help.

That raised the question of whether McAfee was trying to pressure those victims into purchasing its services.

"We notified those victims, told them we'd name them publicly and we didn't hear any objection from them, so we proceeded with the public disclosure," Alperovitch said.

The fact that the attacks outlined by McAfee have been going on for so long points to two things, SenSage's Gottlieb said.

First, cybercriminals make it their full-time jobs to get at our information and disrupt our business. Second, we don't have the same level of resources or time as the cybercriminals to be as diligent in our protection practices as we should be.

"We need to come together as cybercriminals do and share intelligence about what we're seeing," Gottlieb said. "No one security solution can do this alone."